Privacy Policy

Last updated: April 2026. Contact: privacy@workmate.ie

1. Introduction

WorkMate ("WorkMate", "we", "us", "our") is the trading name of Oguzhan Ada, a sole trader registered with the Companies Registration Office of Ireland under Business Name Registration No. 783488, with registered address at 31A Grand Parade, Cork, T12 K095, Ireland. WorkMate is operated from Cork, Ireland, under the jurisdiction of the Revenue Commissioners. All payments on the platform are processed by Stripe Technology Europe, Limited — a licensed payment institution authorised by the Central Bank of Ireland.

In the context of this platform, the trader named above is the Data Controller responsible for personal data collected through workmate.ie. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and all applicable Irish data protection law.

For any privacy-related queries, contact us at: privacy@workmate.ie

2. Data We Collect

Depending on how you use the platform, we may collect:

Identity & contact: full name, email address, phone number (normalised to Irish +353 format).
Location: Eircode, county, and service area preferences.
Service history: jobs posted, quotes received, bookings made, reviews given and received.
Payment information: payment is processed by Stripe. WorkMate does not store full card details — we hold only Stripe customer and payment intent references.
Provider credentials: optional supporting documents uploaded by providers (public liability insurance, Safe Pass, tax clearance, trade licence) for badge display and credibility. Identity verification itself is performed by Stripe Connect during onboarding — no identity document is uploaded to WorkMate.
Usage data: browser type, IP address, pages visited, and session activity for security and platform improvement.

3. How We Use Your Data

Delivering and operating the marketplace platform.
Matching customers with suitable service providers.
Processing payments and managing the Stripe Connect payment hold flow.
Sending transactional emails (booking confirmations, alerts, receipts).
Verifying provider identity, vetting status, and professional qualifications.
Fraud prevention, risk scoring, and platform safety.
Handling disputes and customer support requests.
Meeting legal and regulatory obligations under Irish and EU law.

4. Legal Basis (GDPR Article 6)

Contract performance (Art. 6(1)(b)): processing necessary to provide the service you have signed up for, including job posting, quoting, booking, and payment processing.
Legitimate interests (Art. 6(1)(f)): fraud detection, platform security, improving our matching algorithms, and sending service-related communications.
Consent (Art. 6(1)(a)): optional marketing communications and non-essential cookies (where applicable).
Legal obligation (Art. 6(1)(c)): tax records, financial reporting, and compliance with Irish statutory requirements.

5. Data Sharing

We do not sell your personal data. We share data only with trusted processors required to operate the platform:

Stripe— payment processing and Connect payouts (Stripe Inc., subject to Stripe's Privacy Policy).
Resend — transactional email delivery. Sender address: notifications@workmate.ie.
Supabase — database and file storage (hosted in EU region where available).
Sentry — application error tracking and performance monitoring. PII (email, phone, Eircode) is redacted before transmission. Data is stored in Germany (EU data residency).
Vercel — platform hosting, deployment infrastructure, Vercel Analytics, and Speed Insights. Analytics are privacy-friendly, first-party, and do not use advertising cookies or fingerprinting. Data may be processed in the United States under Standard Contractual Clauses.
Groq Inc. — AI-powered job description assistance (when opted in by the customer). Job description text is sent to the Groq API for enhancement suggestions only and is not stored by Groq beyond the duration of the API request. Data may be processed in the United States under Standard Contractual Clauses.
Cloudflare R2 — file storage for profile photos and job images. Data stored in the EU. See the Cloudflare Privacy Policy.
Upstash Redis — rate limiting and caching. Processes anonymous request metadata only (no personal data stored). Hosted in EU (AWS eu-west-1). See the Upstash Privacy Policy.
Cloudflare Turnstile — bot protection on forms. Processes browser signals for verification; no personal data is stored. See the Cloudflare Privacy Policy.
Competent authorities— where required by Irish law, including the Revenue Commissioners and An Garda Síochána.

Internal Access to Your Information

Authorised WorkMate administrators may access your personal information, including supporting documents you have uploaded (insurance, Safe Pass, trade credentials), for the following purposes:

Reviewing and approving professional qualifications, insurance, and SafePass.
Investigating reported issues, disputes, or safety concerns.
Preventing fraud and maintaining platform security.
Complying with legal obligations (for example, DAC7 tax reporting under EU Directive 2021/514).

All administrative access to personal data is recorded in an internal audit log for accountability under GDPR Article 5(1)(f). Admin accounts require multi-factor authentication (MFA) and are restricted to staff with a legitimate business need. Access to uploaded documents is granted via time-limited signed links (5 minutes); no copies are stored locally.

Legal basis: Contract performance (Art. 6(1)(b) GDPR) for onboarding and support, and legitimate interests (Art. 6(1)(f) GDPR) for fraud prevention and platform safety. Where DAC7 or Irish tax law applies, processing is further justified by legal obligation (Art. 6(1)(c)).

Joint Data Controllers

When you hire a Provider through WorkMate, that Provider receives your contact details and job information necessary to perform the service. In this context, both WorkMate and the Provider act as independent data controllers of your personal data. Each party is responsible for its own compliance with data protection law. Please review the Provider's own privacy practices before sharing additional personal information beyond what is necessary for the job.

6. Data Retention

Data Type	Retention	Basis
Account data	Duration of account + 1 year	Legitimate interest
Job & payment records	7 years	Taxes Consolidation Act 1997
Messages	3 years	Dispute resolution
Provider supporting documents	Duration of account + 90 days after expiry or removal	GDPR legitimate interests — provider credibility display. Identity verification is performed by Stripe Connect; WorkMate does not store identity documents.
Sentry error logs	90 days	Security & stability
Rate limiting data	24 hours	Security

For full retention periods by data category, see our Data Retention Policy.

Tax Authority Disclosure (DAC7)

Under EU Directive 2021/514 (DAC7), transposed into Irish law, WorkMate is required to share provider earnings data with the Irish Revenue Commissioners annually.

Data shared: name, address, tax identification number, date of birth, bank account details, total earnings, and transaction count.
Reporting applies to providers earning over €2,000/year or completing 30+ transactions.
Revenue Commissioners may share this information with tax authorities in other EU member states.
This is a legal obligation under Art. 6(1)(c) GDPR. We cannot process provider payments without the required tax information.

7. Your Rights

Under GDPR you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — have inaccurate data corrected.
Erasure— request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Portability — receive your data in a structured, machine-readable format.
Restriction — request restriction of processing in certain circumstances (e.g. while accuracy is contested).
Objection — object to processing based on legitimate interests.
Lodge a complaint — with the Data Protection Commission Ireland at www.dataprotection.ie.

To exercise any of these rights, email privacy@workmate.ie. We will respond within 30 days.

8. Cookies

WorkMate uses session cookies strictly necessary to keep you logged in and maintain your preferences. We do not place third-party advertising cookies. For performance monitoring we use Vercel Analytics and Vercel Speed Insights — both are privacy-friendly, first-party tools that do not use cookies or fingerprinting. You can manage cookie preferences via the consent banner displayed on your first visit. For a full list of cookies by category, see our Cookie Policy.

9. International Data Transfers

WorkMate primarily stores data within the EU (Supabase EU region).
Some processors (Stripe, Sentry, Vercel) may transfer data to the United States.
All international transfers are covered by Standard Contractual Clauses (SCCs) or EU adequacy decisions.
Data Processing Agreements (DPAs) have been signed with all third-party processors.

10. Data Security

Industry-standard encryption: TLS 1.2+ for data in transit, AES-256 for data at rest.
Row Level Security (RLS) enforced on all database tables to ensure users can only access their own data.
Regular security audits and penetration testing.
Incident response within 72 hours as required by GDPR Article 33.
Access controls and audit logging for all administrative actions.

11. Automated Decision-Making

WorkMate performs automated document validation at the time of credential upload — checking file type and filename/metadata signals against the expected document type. The validation produces a signal; it does not make a verification decision on its own.
Provider compliance scores are calculated automatically based on verified credentials (government ID, public liability insurance, Safe Pass, tax clearance). Compliance scores inform the Smart Match ranking of provider quotes shown to customers.
No solely automated decisions are made that produce legal effects concerning you. Verification approvals, account suspensions, and dispute outcomes are decided by a human administrator.
You may request human review of any automated signal, or the specific rationale for a decision, by contacting privacy@workmate.ie.

12. Children's Data

WorkMate is not intended for users under the age of 18. We do not knowingly collect personal data from children. If we become aware that data has been collected from a minor, it will be deleted promptly. If you believe a child has provided us with personal data, please contact privacy@workmate.ie.

13. Data Protection Contact

Data protection queries can be directed to our privacy team at privacy@workmate.ie for any data protection concerns or queries.

Supervisory authority: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland — www.dataprotection.ie.

14. Contact & Updates

For all privacy enquiries: privacy@workmate.ie. This policy was last updated in April 2026. We will notify registered users of material changes via email with at least 14 days' notice.

Material changes to the Terms & Conditions that affect your rights receive at least 30 days' notice per our Terms & Conditions (§11) and Regulation (EU) 2019/1150 Article 3.